Multi-Tenancy Authorization Models for Collaborative Cloud Services
CONCURRENCY AND COMPUTATION: PRACTICE AND EXPERIENCE Concurrency Computat.: Pract. Exper. (2014) Published online in Wiley Online Library (wileyonlinelibrary.com). DOI: 10.1002/cpe.3446 SPECIAL ISSUE PAPER Multi-tenancy authorization models for collaborative cloud services Bo Tang1,2, Ravi Sandhu1,2 and Qi Li3,1,*,† 1Institute for Cyber Security, University of Texas at San Antonio, One UTSA Circle, San Antonio, TX 78249, USA 2Department of Computer Science, University of Texas at San Antonio, One UTSA Circle, San Antonio, TX 78249, USA 3Graduate School at Shenzhen, Tsinghua University, Shenzhen, 518055, China SUMMARY The cloud service model intrinsically caters to multiple tenants, most obviously not only in public clouds but also in private clouds for large organizations. Currently, most cloud service providers isolate user activities and data within a single tenant boundary with no or minimum cross-tenant interaction. It is anticipated that this situation will evolve soon to foster cross-tenant collaboration supported by Authorization as a Service. At present, there is no widely accepted model for cross-tenant authorization. Recently, Calero et al. informally presented a multi-tenancy authorization system (MTAS), which extends the well-known role-based access control model by building trust relations among collaborating tenants. In this paper, we formalize this MTAS model and propose extensions for finer-grained cross-tenant trust. We also develop an administration model for MTAS. We demonstrate the utility and practical feasibility of MTAS by means of an example policy specification in extensible access control markup language. To further test the metrics of the model, we develop a prototype system and conduct experiments on it.
[Show full text]